The rules of engagement for offensive counter strikes [in cyberwarfare] are more tricky. Does the US, after identifying a non-state actor attacking it, go after the actor themselves? Or do they pressure the government where the non-state actor is located to handle them? Or do they launch an attack on the government if they consider their enforcement lackadaisical? Or perhaps even intentionally sheltering cyber attackers?

I suppose that for this, the standard military rules of engagement apply.

Going Kinetic: Rules of Engagement

In my humble opinion this is exactly the direction discussion of a cyberwar should go in however as my recent research posted here and here indicate, I’m not sure whether we as a people can fully share the same perspective on what warfare is anymore. Borrowing an applicable statement from a military historian:

…the presence of multiple combatants with differing views of whose war is more legitimate requires a resolution that in large part depends on which party can better mobilize the violent tools of coercion.

I definitely see a wide gap between the backgrounds of speakers on the current cyberwarfare concept and the public should have a common frame of reference in order to make informed policy decisions. Right now, military applicability is set within Title 10 of the United States Code and ROE comes from the top [President Obama] down.

Opinion: Mixed

The conversation on cyberwarfare should happen. The decision President Truman made to drop the bombs in Japan and end World War II was no less difficult as I see as an asymmetric and kinetic response to a cyberattack. If I were President I would heavily weigh the deterrence value of an asymmetric targeted strike against the expected backlash. As in, whether a Stealth B-2 carrying a load of JDAMs should take out a car full of cyber-mercenaries who incapacitated Los Angeles, most probably on someone’s sovereign soil.

If that act prevented further acts of terrorism or cyber-anything, that will be weighed in history alongside President Truman’s decision.

…it should also be noted that a 2009 review of U.S. policy and doctrine publications does imply "that the United States will regard certain kinds of cyberattacks against the United States as being in the same category as nuclear, biological, and chemical weapons, and thus that a nuclear response to certain kinds of cyberattacks (namely, cyberattacks with devastating impacts) may be possible."

However, we civilians may never see this surface publicly because rules of engagement (ROE) have never been truly ‘public’ and I’m not sure they should be that transparent since [in traditional warfare] lives may hang in the balance…